This example shows reflexive access lists configured for an external interface.
This configuration example permits both inbound and outbound TCP traffic at interface Serial 1, but only if the first packet (in a given session) originated from inside your network. The interface Serial 1 connects to the Internet.
Define the interface where the session-filtering configuration is to be applied:
interface serial 1
description Access to the Internet via this interface
Apply access lists to the interface, for inbound traffic and for outbound traffic:
ip access-group inboundfilters in
ip access-group outboundfilters out
Define the outbound access list. This is the access list that evaluates all outbound traffic on interface Serial 1.
ip access-list extended outboundfilters
Define the reflexive access list tcptraffic. This entry permits all outbound TCP traffic and creates a new access list named tcptraffic. Also, when an outbound TCP packet is the first in a new session, a corresponding temporary entry will be automatically created in the reflexive access list tcptraffic.
permit tcp any any reflect tcptraffic
Define the inbound access list. This is the access list that evaluates all inbound traffic on interface Serial 1.
ip access-list extended inboundfilters
Define the inbound access list entries. This example shows Enhanced IGRP permitted on the interface. Also, no ICMP traffic is permitted. The last entry points to the reflexive access list. If a packet does not match the first two entries, the packet will be evaluated against all the entries in the reflexive access list tcptraffic.
permit eigrp any any
deny icmp any any
evaluate tcptraffic
Define the global idle timeout value for all reflexive access lists. In this example, when the reflexive access list tcptraffic was defined, no timeout was specified, so tcptraffic uses the global timeout. Therefore, if for 120 seconds there is no TCP traffic that is part of an established session, the corresponding reflexive access list entry will be removed.
ip reflexive-list timeout 120
The example configuration looks as follows:
interface Serial 1
description Access to the Internet via this interface
ip access-group inboundfilters in
ip access-group outboundfilters out
!
ip reflexive-list timeout 120
!
ip access-list extended outboundfilters
permit tcp any any reflect tcptraffic
!
ip access-list extended inboundfilters
permit eigrp any any
deny icmp any any
evaluate tcptraffic
With this configuration, before any TCP sessions have been initiated the
show
access-list EXEC command displays the following:
Extended IP access list inboundfilters
permit eigrp any any
deny icmp any any
evaluate tcptraffic
Extended IP access list outboundfilters
permit tcp any any reflect tcptraffic
Notice that the reflexive access list does not appear in this output. This is because before any TCP sessions have been initiated, no traffic has triggered the reflexive access list, and the list is empty (has no entries). When empty, reflexive access lists do not show up in
show
access-list output.
After a Telnet connection is initiated from within your network to a destination outside of your network, the
show
access-list EXEC command displays the following:
Extended IP access list inboundfilters
permit eigrp any any
deny icmp any any
evaluate tcptraffic
Extended IP access list outboundfilters
permit tcp any any reflect tcptraffic
Reflexive IP access list tcptraffic
permit tcp host 172.19.99.67 eq telnet host 192.168.60.185 eq 11005 (5 matches) (time
left 115 seconds)
Notice that the reflexive access list tcptraffic now appears and displays the temporary entry generated when the Telnet session initiated with an outbound packet.